chore(deps): bump hono and openclaw

[dependabot]

Removes hono. It's no longer used after updating ancestor dependency openclaw. These dependencies need to be updated together.

Removes hono

Updates openclaw from 2026.3.11 to 2026.6.1

Release notes

Sourced from openclaw's releases.

openclaw 2026.6.1

Highlights

• Agents and CLI-backed runtimes recover more cleanly from interrupted tool calls, stale session bindings, compaction handoffs, and media delivery retries. (#88129, #88136, #88141, #88162, #88182)
• Channels and mobile delivery are steadier across Telegram, WhatsApp, iMessage, Slack, Discord, Microsoft Teams, Google Chat, Google Meet, and iOS realtime Talk. (#88096, #88105, #88183, #88231)
• Provider and plugin requests now bound more timers, retries, OAuth/device-code lifetimes, media downloads, local service probes, and generated-content polling paths before they can hang a run.
• Skills, session metadata, gateway runtime state, plugin metadata, memory watchers, and store writes do less repeated work on hot paths while keeping config, dispatch, and Linux file-watch behavior stable. (#89185, #89188, #85351) Thanks @​RomneyDa and @​NianJiuZst.
• Skills and plugin loading now handle stale disabled snapshots and loader failures more clearly, so channel turns avoid disabled SecretRefs and operators get better recovery guidance. (#79072, #79173) Thanks @​zeus1959.
• Workboard, SecretRef plugin manifests, hosted iOS push relay, and external Copilot/Tokenjuice packaging add broader orchestration, integration, and plugin delivery surfaces. (#82326, #87469, #87796, #88107, #88117)
• Skill Workshop now has a fuller Control UI flow with proposal lists, today actions, revision handoff, searchable file previews, review states, locale coverage, and reusable session routing.
• Chat and Control UI startup paths keep sends alive through history loading, stream deltas incrementally, skip markdown work while streaming, keep drafts local while typing, clear the composer after sends, trace first-output latency, prioritize first connect, and expose calmer composer controls. (#88772, #88825, #88998, #89030, #89106) Thanks @​vincentkoc and @​sallyom.
• Provider coverage and model metadata now include MiniMax M3, account OAuth endpoints, Google/Vertex catalog fixes, OpenRouter SQLite model caching, Copilot Claude 1M capabilities, Foundry reasoning alignment, and OpenAI response replay guards. (#88480, #88512, #88851, #88860)
• iMessage monitor state, inbound queues, and plugin install ledgers moved toward SQLite-backed state so restarts and local monitors recover with less duplicate filesystem scanning. (#88794, #88797)
• Release, CI, Docker, E2E, plugin install, and diagnostics lanes now cap more logs, response bodies, readiness probes, artifact checks, status polling, child workflow waits, docker package cleanup, quiet test stalls, and rollback snapshots so failures report bounded proof instead of stalling. (#88966) Thanks @​RomneyDa.

Changes

• Docs: add a dedicated Skill Workshop guide covering governed skill creation, reviewable proposals, CLI, Gateway, agent tool behavior, approval policy, support files, and recovery, and refresh the ClawHub showcase cards. (#88734) Thanks @​shakkernerd and @​vyctorbrzezowski.
• Skills: let the skill_workshop agent tool apply, reject, and quarantine explicit proposals through the guarded review flow. Thanks @​shakkernerd.
• Skills: let proposals carry approved support files under standard skill folders, with scanner, hash, and rollback safeguards. Thanks @​shakkernerd.
• Skills: let pending proposals be revised in place with versioned, dated proposal frontmatter before approval. Thanks @​shakkernerd.
• Skills: add Skill Workshop with pending proposals, CLI/Gateway review actions, rollback metadata, and the skill_workshop agent tool. Thanks @​shakkernerd.
• Skill Workshop: add the Control UI navigation, styled dashboard, proposal today view, revision dialog, file preview modal, searchable preview files, reusable session handoff, and localized strings.
• Plugins: externalize Tokenjuice as the official @openclaw/tokenjuice plugin with npm and ClawHub publish metadata.
• Plugins: externalize the GitHub Copilot agent runtime as the official @openclaw/copilot plugin with npm and ClawHub publish metadata.
• iOS: add hosted push relay defaults, realtime Talk playback, and a guarded WebSocket ping path for more reliable mobile sessions. (#88096, #88105, #88231)
• iOS: support native iPad display layouts.
• Workboard: add orchestration primitives and agent coordination tools for multi-agent planning and run tracking. (#87469)
• Workboard: wire task-backed board runs and show task comments in the edit modal.
• Code mode: add internal namespaces for scoped agent/global sessions and exact namespace tool dispatch. (#88043)
• Code mode: add MCP API files and docs for code-mode integrations.
• Control UI: add a Dreaming-tab agent selector and propagate the selected agent through Dreaming status, diary, and diary actions. (#78748) Thanks @​stevenepalmer.
• Control UI: add calmer chat composer controls, local draft typing state, and first-output latency instrumentation for active chat entry. (#88772, #88998) Thanks @​vincentkoc.
• Plugins: add a SecretRef provider integration manifest contract and extract shared LLM core packages for provider/plugin reuse. (#82326, #88117)
• Plugins: persist the plugin install index in SQLite so installed package lookup survives reloads with less filesystem scanning. (#88794)
• Providers: add MiniMax M3 model support. (#88860)
• Doctor: add disk space health checks and stabilize post-upgrade JSON probes.
• Channels: store inbound queues in SQLite and migrate iMessage monitor state to SQLite-backed tracking. (#88797)
• Skills: add the core skills index and centralize skills runtime loading, status, filtering, and prompt formatting.

Fixes

• Release/CI/E2E: fail early when Crabbox sparse-sync full checkouts do not have enough local disk, with guidance for moving the sync root.
• Build: render independent CLI startup metadata help snapshots concurrently to cut cold build-all metadata time.
• Plugins: stop timed-out package-boundary prep steps by process group so descendant TypeScript/helper processes do not survive local check cleanup.
• Control UI: serve static assets asynchronously after safe-open checks so large UI files do not block Gateway request handling.
• Scripts/UI: forward direct wrapper SIGHUP shutdown to child processes so terminal hangups do not leave wrapped dev commands running.
• Gateway: return the post-expiration pending-work revision from node drains so reconnecting nodes do not observe stale queue revisions after expired items are pruned.
• Release/CI/E2E: keep temporary full-sync checkouts alive while slow Crabbox leases boot, so sparse worktree runs do not lose their sync source before file-list generation.

... (truncated)

Commits

• 2e08f0f chore(release): refresh plugin sdk baseline
• 709b98f chore(release): prepare 2026.6.1 stable
• 3b53e2c fix(ci): align health gateway mock typing
• 30d7f3b fix(ci): stabilize shrinkwrap package ordering
• 9853607 chore(release): prepare 2026.6.1 beta 3
• 28b76fc fix(ci): preserve shrinkwrap dependency fork resolutions
• c6d88b4 fix: handle gateway health credential errors (#89731)
• ba0a7f7 fix(ui): localize skill workshop view switcher
• caa1810 fix(kimi): strip anthropic cache markers
• 5f9b45b fix(google): forward Gemini stop sequences
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for openclaw since your current version.

Install script changes

This version adds preinstall, postinstall scripts and modifies prepare script that run during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.